What is credential stuffing?
Credential stuffing is a type of cyberattack in which attackers use automated tools to repeatedly inject stolen username/password combinations into various services to access legitimate users’ accounts and previously breached accounts. Because people tend to recycle login credentials across multiple unrelated services, once hackers have account information for one app or website, they may be able to log into increasingly valuable accounts.
These attacks can have lasting effects on companies and customers. They’re costly, too—IBM reports that the average data breach cost was $4.88M in 2024, 10% higher than the previous year. Because of this, organizations can’t take chances when technology already offers solutions to mitigate credential stuffing risks.
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques
Explore
How do credential stuffing attacks work?
Credential stuffing is often a precursor to account takeovers and other, more sophisticated attacks. Here’s how it works:
Collecting data: The threat actor acquires username/password pairs from a previous data breach, a man-in-the-middle attack, the dark web, or a phishing attack.
Setting up automation: A hacker deploys bots to test the credentials against as many apps and websites as possible. Bad actors typically obtain credentials from one service and use them on other unrelated services.
Attacking: The hacker filters the lot, gathers the successful login attempts, and stores the confirmed-valid credentials.
Executing the goal: The threat actor carries out the goal(s) of the attack. These may vary, depending on the target:
Organizations: Targets administrative accounts to move laterally within the system, conduct further attacks (like malware and ransomware attacks), or steal patents and trade secrets
Email and social media services: Accesses personal and business accounts in messaging services to instigate phishing and social engineering attacks on victims’ trusted contacts
Credential trading: Validates credentials to resell at higher values to other threat actors
How dangerous are credential stuffing attacks?
Most cybercrime statistics estimate credential stuffing attacks’ success rate to be from 0.2–2.0%. This means your organization could have thousands or millions of impacted stakeholders.
Credential stuffing remains a favorite for threat actors and is very dangerous to both customers and enterprises because:
It’s inexpensive and requires minimal tech expertise to conduct, so with little investment, hackers can access high-value accounts.
Cybercriminals can deploy automation scripts and bots to conduct large-scale attacks and circumvent web application security mechanisms like IP blocking.
Credential databases are readily available to hackers—over 24 billion username/password pairs are circulating on cybercrime hubs.
The Snowflake identity-based attacks in 2024, one of the biggest cybersecurity incidents of that year, proved to be one example of a preventable credential stuffing attack. ShinyHunter attackers accessed millions of individuals’ personal and corporate data from around 165 organizations because of weak authentication practices, such as missing multifactor authentication (MFA) features. These preventable attacks have unfortunately affected many customers and organizations across industries—and continue to do so.
Examples of credential stuffing attacks
The Snowflake incident is just one of many attacks that organizations and customers have faced because of poor security against credential stuffing. Below are two more examples:
Roku implements 2FA after attacks
Imagine waking up to emails about multiple Roku video streaming app purchases. You might occasionally rent a movie, but those purchases don’t look like yours.
In 2024, threat actors conducted two credential stuffing attacks on Roku customers. These events compromised 15,363 customer accounts in the first attack and about 576,000 accounts in the second. Additionally, the attackers stole around 400 financial credentials for unauthorized purchases.
After these two incidents, Roku required 2FA so users could verify their identity when logging in through email and prevent these attacks from happening again.
Amtrak learns how serious external breaches can be
When you earn reward points for your purchases, the last thing you expect is for someone to hijack your account and use them. But that’s precisely what happened to Amtrak customers after bad actors accessed their Guest Rewards Accounts.
In these attacks, hackers used credentials from past breach incidents to access Amtrak accounts from May 15–18, 2024. During this time, they changed email addresses, personal information, and more, which made it more difficult for customers to regain access.
After remediating the issue, Amtrak implemented MFA through email and text to prevent future attacks.
Recommendations for preventing credential stuffing attacks
The OWASP Credential Stuffing Cheat Sheet suggests several prevention mechanisms, including the following:
1. Implement MFA
MFA prevents hackers from accessing user accounts, even with the correct credentials. These credentials can come from two or more of the following categories:
Something the user knows: Security questions, passwords, and pins
Something they are: Bio components like fingerprints or facial recognition
Something they have: Physical security keys, one-time links, or codes via email or SMS
However, the extra time and effort MFA requires may frustrate users. To balance security and convenience, organizations should implement MFA as:
A re-authentication mechanism: Require MFA before allowing users to purchase items, transfer funds, or perform other privileged activities.
A complement to monitoring: Continually monitor MFA alongside user activity and bot detection. When you discover bots or suspicious login attempts, you can automatically trigger MFA.
Bot detection integrations: Pair MFA with tools like CAPTCHA or rate-limiting (such as blocking IPs after five failed attempts) to flag automated attacks. If a bot tries 1,000 logins per hour, trigger MFA for all attempts from that IP.
User-friendly options: Offer push notifications (like Microsoft Authenticator) or biometric fallbacks to reduce friction.
2. Enforce unique credential usage
Organizations should prevent users from reusing credentials by comparing username/password pairs during account sign-ups to compromised credentials in free or paid credential databases. For example, you can integrate an API that blocks passwords that have appeared in a breach.
Keep in mind that users may reuse compromised credentials that aren’t yet available in third-party vendor databases. However, you can provide users with unpredictable auto-generated usernames for greater security.
Pairing these approaches with user-provided display names can further improve both security and usability. For instance, a healthcare portal might allow users to pick a name like “Dr. Jones,” while the system assigns a secure login ID like “djones-5fas7w1m.” You can use this method, along with SSO, to reduce credential fatigue.
3. Leverage password-free authentication
Another prevention tactic is to abandon passwords entirely in favor of alternative authentication mechanisms like one-time passwords, biometrics, and tokens. If no static passwords are available to compromise, attackers can’t use the vector they typically exploit.
The following is an example of initializing a FIDO2 server for passwordless authentication (using the FIDO2 Python library) that shows the registration process and authentication:
from fido2.webauthn import PublicKeyCredentialRpEntity
from fido2.server import Fido2Server
rp = PublicKeyCredentialRpEntity("example.com", "Example RP")
server = Fido2Server(rp)
# Registration
registration_data, state = server.register_begin({
'id': b'user_id',
'name': 'username',
'displayName': 'User Name',
})
# Authentication
auth_data, state = server.authenticate_begin({
'userVerification': 'required',
})4. Integrate obfuscation techniques
Organizations should also adopt obfuscation mechanisms like encryption, salting, and hashing to make passwords unreadable to hackers and bots. These techniques protect passwords as they travel from clients to servers or storage databases:
Encryption converts plaintext passwords into decryptable ciphertexts.
Hashing scrambles plaintext into undecryptable ciphertexts.
Salting adds random characters to plaintext passwords before hashing.
To protect your database passwords, leverage strong hashing algorithms and salting. Additionally, you can encrypt your data in transit with protocols like TLS and HTTPS.
Here’s a password hashing example:
import hashlib
import os
import base64
def hash_password(password):
"""Simple and secure password hashing using SHA-256 with salt"""
# Generate a random salt
salt = os.urandom(16)
# Hash the password with the salt
hashed = hashlib.pbkdf2_hmac(
'sha256', # Hash algorithm
password.encode('utf-8'), # Convert password to bytes
salt, # Salt for this password
100000, # Number of iterations
dklen=32 # Length of the derived key
)
# Combine salt and hash for storage
storage_string = base64.b64encode(salt + hashed).decode('utf-8')
return storage_string
# Example usage
password = "MySecurePassword123"
hashed_password = hash_password(password)
print(f"Hashed password: {hashed_password}")How to detect credential stuffing attempts early
While the best practices above can help you stop credential stuffing, you can also implement the following steps to improve your cloud security posture:
Monitor user activity
Security teams should monitor user accounts for suspicious or anomalous activity like unexpected traffic volume spikes (such as too many login attempts at once), resource consumption hikes, faster-than-usual credential entry, failed login attempts, and lateral movement.
Robust monitoring requires automated cloud security solutions that provide complete visibility into cloud activity and continuously scan software environments for threats. Wiz Defend, for example, constantly monitors your security so you can stop breaches before they happen.
Scan for and alert on anomalous activity
To nip attacks in the bud, be sure to notify users when your team detects anomalous activities. These alerts should include details like the time or location of the suspicious activity. However, use notifications sparingly—frequent anomaly notifications may desensitize users and add fatigue.
Additionally, you should scan all accounts for other ongoing illegitimate activity whenever one or more users report fraudulent activities.
Use bot-detection mechanisms
Attackers often deploy bots to conduct large-scale attacks. Because of this, organizations should implement bot-detection and -deception mechanisms like CAPTCHAs, puzzles, and honeypots to stop bots in their tracks. That way, your security team can receive triggers only with high-risk accounts or during anomalous activities.
The downside of bot-detection techniques is that advanced bots may be able to evade one or more of these mechanisms. But the good news is that many kinds of bot-detection software, both free and paid, use a combination of these mechanisms, which makes evading them all much more difficult.
Along with implementing CAPTCHAs and honeypots, you can leverage a unified cloud security platform like Wiz to analyze traffic logs for unusual patterns and suspicious events. Over time, you can also block IPs connected to bot networks.
Credential stuffing vs. brute force attacks
OWASP categorizes credential stuffing as a subset of brute force attacks because both involve using bots to illegitimately log into accounts. However, there are important differences between the two:
| Characteristics | Credential stuffing | Brute force attacks |
|---|---|---|
| Technique | Using credentials from previous data breaches to log into other systems and networks | Randomly trying various common password combinations against a single user account |
| Exploited weaknesses | Reusing passwords across multiple apps | Using weak or default passwords |
| Detection mechanism | Repeating failed login attempts and suspicious or unauthorized account activity | Repeating failed login attempts and, to a lesser extent, suspicious or unauthorized account activity |
Although the two types of attacks are related, these differences mean that security teams must handle credential stuffing and brute force attacks differently for mitigation and logging purposes.
Responding to credential stuffing
Organizations should have a quick, tried-and-tested incident response plan that includes containment, investigation, resolution, notification, and password resets—especially since slow incident response can lead to more devastating consequences, lawsuits, and fines. Enforcing strong password changes is also crucial for preventing repeat attacks.
Your incident response plan should include actions for the following:
Detection and alerts: Use a monitoring tool to detect suspicious login patterns and instances. For example, a SIEM can detect anomalies in real time. Additionally, be sure to notify users if you find a breach that affects them.
Containment: Lock accounts that show suspicious activity and unauthorized access. You can identify these accounts by looking for multiple failed logins and blocking IP addresses linked to malicious activity.
Investigation: Use log analysis to determine the attack’s origin. This involves reviewing login timestamps, IP addresses, and suspicious patterns. Then, find the compromise’s source and compare the credentials with known breaches across industries.
Action and prevention: Force password resets for affected users and make adjustments to prevent similar issues based on your newly discovered gaps. Solutions include adding MFA and similar authentication steps.
Communication: Transparently share your incident response. Users need to know what happened, how it affected them, what you did to fix it, and what you did to prevent it from happening again.
Responding to brute force attacks
In some instances, you may face a brute force attack. To combat these, you can restrict login attempts per account or IP address to prevent further attacks or limit an attack’s impact. You can also add a cooldown of a few hours or longer after multiple failed attempts. These actions help you mitigate login guesses while securing and protecting real users.
The best incident response plan is preventing the next breach. A cloud-native application protection platform (CNAPP) can help with this by unifying your cloud security posture and implementing preventative measures to minimize credential stuffing risks.
Prevent credential stuffing: Adopt Wiz
Credential stuffing attacks are becoming increasingly sophisticated, and they cause steep financial and reputational costs to organizations. Unfortunately, no single tool or prevention mechanism can fully stop them—but a combination of user activity monitoring and other prevention mechanisms can serve as effective deterrents.
That’s where Wiz comes in. This CNAPP provides a comprehensive security analysis that inspects cloud environments and configurations, which can help you detect and prevent credential stuffing attacks.
With Wiz Defend, your team can get actionable identity security, as well as full context and visibility, by mapping identity risk against real attack activity. It combines cloud infrastructure entitlement management with real-time runtime and cloud workload visibility. But Wiz Defend doesn’t stop at tracking logins and permission changes—it also detects privilege escalation, identity sprawl, and unauthorized access before attackers can take control.
Don’t wait for a breach to happen—download Wiz’s free template today to secure your cloud with a proven incident response plan.
A single platform for everything cloud security
Learn why CISOs at the fastest growing companies choose Wiz to help secure their cloud environments.
